Lets say my PC & server is in an environment where a theoretical attacker has physical access to the machine while I'm not there. Now the data is encrypted on the hard drive with TrueCrypt. However if I'm not there I usually don't bother dismounting the encrypted containers as it's time consuming to enter the long password to remount them each time. So the data is readable if you have access to the machine and know the password to log in. Now I assume the data must also be readable if I'm not logged in either as they could plug a device into one of the USB ports and copy the unencrypted data on the hard drive partitions that are mounted.

My plan is to stop a casual attacker, e.g. flatmate, colleague etc plugging in and copying data from the hard drive. Obviously it's less likely they're going to open up the case and hot plug in something into the PCI bus to do it. Also it's unlikely they will walk off with the PC to do a thorough job of it.

How do I disable unused USB ports etc when the computer is in 'locked' mode so that they can't just plug in and copy data from the hard drive? Any other precautions that I could take?

Methods and or suggestions for Windows 7 and Linux would be great. Thanks!

From what you wrote, it's the typical security/usability tradeoff: are your data worth at least the time you spend entering the password? If not, why bother with any encryption at all?
–
PiskvorMar 28 '12 at 9:54

If the account is locked then they cannot copy any data. If they were to log into another user, then the locked user's data would be secure, I still feel your trying to solve the wrong problem.
–
RamhoundMay 7 '12 at 11:29

1

In that scenario, you should also worry about FireWire, which has DMA support
–
ixe013May 8 '12 at 12:59

On Linux USB-devices are not normally automounted. Normally you need root-access to do so. What Linux are you talking about here?
–
NilsMay 10 '12 at 11:01

@Nils: Most of the consumer-oriented Linux distros (Ubuntu comes to mind) automount USB devices R/W for the logged-in user (which usually means "user with an X server at display :0"), out of the box. More detail from the OP is needed, indeed.
–
PiskvorMay 11 '12 at 9:23

7 Answers
7

I can give you a Linux solution. Firstly, you'll need to use this script to lock your screen; secondly, this only disables usb storage devices

#!/bin/sh
sudo modprobe -r usb_storage
gnome-screen-saver --lock

You can modify this to totally disable the usb stack - you'll need to modprobe -r on ohci, xhci and ehci and any other prefixes to hci you can find. In my kernel, these are baked into the core binary, so there is nothing I can do to remove them from the kernel.

Be aware that removing those host controllers will also totally wipe out your usb keyboard and mouse - so ensure you're running serial.

You can also do this the hard way - i.e. no support at all, using the techniques here or by totally removing the relevant controllers from the kernel.

As to whether this can be done on Windows - from looking, not so easily. You can disable USB storage classes using something akin to this method - and you can definitely lock the screen from a script using Rundll32.exe User32.dll,LockWorkStation. However, I suspect a dedicated solution for this would be best.

On the likelihood of USB cloning devices actually working - well the USB spec simply defines a bus. At the host end, you need device drivers capable of communicating with the device for it to work. These exist for mass storage devices, obviously, however, in order to automatically install drivers you need Windows - Linux has no such autorun capability (that I know of). However, Windows does. In which case, a simple solution would be:

Turn off autorun. Windows will then not run any applications automatically on inserting a USB device.

Turn off automatic driver installation. To do this, go to run and type gpedit.msc. Go to Computer Configuration, Administrative Templates, System, Device Installation, Device Installation Restrictions. From here, you can totally disable driver installation - "Prevent installation of devices not described by other policy settings" will do exactly this. (source).

Under these circumstances, there would be no way for an inserted USB device to actually initiate a copy of your disk assuming no bugs in the USB device drivers that could be exploited for this purpose (very, very unlikely).

(Not that I'm paranoid, but I tend to run systems I care about with device driver installation blocked anyway, just for good measure. Also, UAC these days, along with driver signing if you're using x64 Windows, should prompt before installing a driver, so you should be good. But just in case...)

As for "Turn off autorun" - this is more or less the default in all version of Windows since XP SP2: you'll get a pop-up dialog with the autorun item preselected, but you need to activate it manually (which is not possible when the screen is locked :)).
–
PiskvorMay 7 '12 at 12:18

3

@Piskvor true, but if there are ever any bugs in the new autorun functionality, having it turned off is better than having it turned on. Given we're talking about the unlikely case of USB devices capable of cloning hard disks...
–
user2213May 8 '12 at 7:50

The standard approach is to fill the USB ports with epoxy resin. Of course, this must be combined with similar approaches to seal the case, so the attacker can't get in via the PCI bus, etc.

Note that even if you do this, law 3 still applies: if a bad guy has unrestricted physical access to your computer, it's not your computer anymore.

EDIT: reflecting update to question:

In the specific scenario you outline, then to block it, just turn off auto-run. It should already be off in Windows if you've got it patched properly; in Linux how to turn it off (or even if it's on) depends on Distro, Desktop Environment, etc.

However, please do note that the specific scenario you outline does not make sense. If the attacker is serious enough to build a custom USB stick to do this, then they are not going to be so casual that they give up when it doesn't work, and will try something else. Boot from a LiveCD, copy your TrueCrypt volumes, install a keylogger, and wait to get the password in the mail, for example. Law 3: it's their computer now.

Actually an attacker serious enough to build such a stick probably isn't going to bother because they'll not expect auto-run to still be on.

This is the "standard approach"? I was thinking more on the lines of disabling via the BIOS or, if it's necessary to make them available without reboot, Device Manager. +1 for "law 3".
–
IsziMar 28 '12 at 13:20

1

Hmm, I may have reacted badly to him not being bothered to type in his password. By god, if I've got to remember half a dozen sixteen character passwords, he should too!
–
Graham HillMar 29 '12 at 10:03

This is a flippant, unhelpful answer. My use case is stopping a casual attacker, e.g. flatmate, colleague etc plugging in and copying data from the hard drive. Obviously it's less likely they're going to open up the case and hot plugging something into the PCI bus to do it. Also it's unlikely they will walk off with the PC to do a thorough job of it. Its more of a deterrant. All I want is a piece of software which runs on Windows/Linux which locks the USB ports so that it won't install any new devices when the computer screen is 'locked' and therefore their autocopying device won't work.
–
zuallauzMay 5 '12 at 1:03

3

@zuallauz It is a realistic answer that is relatively commonly practiced. That would be a handy bit of software as you're asking for it, but I'm not aware of its existence. As far as Windows / Linux go, the hardware won't talk to a device unless the kernel recognizes it, but that doesn't help if you have some devices on.
–
Jeff Ferland♦May 5 '12 at 2:01

@zuallauz - You are trying to solve the wrong problem. If you walk away from your computer then you shouldn't be logged into your computer. If your computer is locked then they cannot copy the data.
–
RamhoundMay 7 '12 at 11:26

If you're using some sort of endpoint protection, they may have the ability to disable USB flash drives. I know the Symantec Endpoint Protection has the ability to disable USB flash while allowing other USB devices.

You can write a PowerShell script for the lock and unlock screen event to disable the installation of new USB devices.
Your script must change the local GPO settings at every lock and unlock from your screen.

I don't mind if they copy from the USB drive. I mind if they copy the hard drive. Like they plug in a USB based hacking device, it auto installs the drivers etc then runs a script which copies all the data on the hard drive to the device.
–
zuallauzApr 3 '12 at 20:27

@zuallauz: Can you give an example of the type of device you're trying to protect against? It sounds like you're trying to defend against an imaginary threat. (At least, since Windows machines starts disabling autorun by default.)
–
David SchwartzMay 8 '12 at 5:57

@DavidSchwartz I'm also wondering about this. How can USB auto-run itself if auto-run is disalbed by default in OS? Is it even possible?
–
StanMay 8 '12 at 11:13

If the computer is locked then software cannot be installed. By default auto-run is disabled in Windows 7.
–
RamhoundMay 10 '12 at 15:32